import all the shared XSS sources and sinks

2026-04-23 15:55:18 +02:00 · 2019-11-15 15:41:53 +01:00
parent 65a018ceed
commit e95cceef1d
6 changed files with 57 additions and 17 deletions
--- a/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
+++ b/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
@@ -21,5 +21,5 @@ from
 where
  cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.", source.getNode(),
+  sink.getNode().(XSS::Shared::Sink).getVulnerabilityKind() + " vulnerability due to $@.", source.getNode(),
  "user-provided value"
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll
@@ -1,12 +1,18 @@
 /**
- * Provides a taint-tracking configuration for TODO:
+ * Provides a taint-tracking configuration for reasoning about cross-site 
+ * scripting vulnerabilities where the taint-flow passes through a thrown 
+ * exception. 
 */

 import javascript

 module ExceptionXss {
-  import Xss::DomBasedXss // imports sinks
-  import DomBasedXssCustomizations::DomBasedXss // imports sources
+  import DomBasedXssCustomizations::DomBasedXss as DomBasedXssCustom
+  import ReflectedXssCustomizations::ReflectedXss as ReflectedXssCustom 
+  import Xss::DomBasedXss as DomBasedXss 
+  import Xss::ReflectedXss as ReflectedXSS
+  import Xss::StoredXss as StoredXss
+  import Xss as XSS

  DataFlow::Node getExceptionalSuccssor(DataFlow::Node pred) {
    exists(DataFlow::FunctionNode func |
@@ -53,16 +59,16 @@ module ExceptionXss {
    Configuration() { this = "ExceptionXss"}

    override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-      source instanceof Source and label instanceof NotYetThrown
+      source instanceof XSS::Shared::Source and label instanceof NotYetThrown
    }
    
    override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-   	  sink instanceof Sink and label.isDataOrTaint()
+   	  sink instanceof XSS::Shared::Sink and label.isDataOrTaint()
   	}

    override predicate isSanitizer(DataFlow::Node node) {
      super.isSanitizer(node) or
-      node instanceof Sanitizer
+      node instanceof XSS::Shared::Sanitizer
    }

    override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl) {
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll
@@ -6,7 +6,7 @@
 import javascript

 module ReflectedXss {
-  import Xss::ReflectedXss
+  import ReflectedXssCustomizations::ReflectedXss

  /**
   * A taint-tracking configuration for reasoning about XSS.
@@ -23,13 +23,4 @@ module ReflectedXss {
      node instanceof Sanitizer
    }
  }
-
-  /** A third-party controllable request input, considered as a flow source for reflected XSS. */
-  class ThirdPartyRequestInputAccessAsSource extends Source {
-    ThirdPartyRequestInputAccessAsSource() {
-      this.(HTTP::RequestInputAccess).isThirdPartyControllable()
-      or
-      this.(HTTP::RequestHeaderAccess).getAHeaderName() = "referer"
-    }
-  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
@@ -0,0 +1,19 @@
+/**
+ * Provides default sources for reasoning about reflected
+ * cross-site scripting vulnerabilities.
+ */
+
+import javascript
+
+module ReflectedXss {
+  import Xss::ReflectedXss
+
+  /** A third-party controllable request input, considered as a flow source for reflected XSS. */
+  class ThirdPartyRequestInputAccessAsSource extends Source {
+    ThirdPartyRequestInputAccessAsSource() {
+      this.(HTTP::RequestInputAccess).isThirdPartyControllable()
+      or
+      this.(HTTP::RequestHeaderAccess).getAHeaderName() = "referer"
+    }
+  }
+}